1. Important information
This policy applies to patients, visitors, staff members, volunteers, students, recruitment candidates, clinicians/consultants, contractors/agency staff, suppliers, trustees, members of the charity, fundraising donors, newsletter subscribers (hard copy newsletter and e-newsletter), gym members and visitors to Horder Healthcare websites and sets out your rights under the new General Data Protection Regulations (also known as GDPR).
2. Who we are
Horder Healthcare (also referred to as “we”, “us”, “our” in this policy) is a leading healthcare charity working across Kent and Sussex, delivering care for both NHS and private patients. Our charitable purpose is the advancement of health and the relief of patients suffering from ill health. We do this by providing:
- At the Horder Centre, Crowborough - orthopaedic surgery and musculoskeletal (MSK) treatment
- At our clinics in South East of England (Horder Healthcare Seaford and Eastbourne) - musculoskeletal (MSK) treatment
- At The McIndoe Centre, East Grinstead - cosmetic and plastic reconstruction surgery, eye surgery, oral and maxillofacial surgery and orthopaedic surgery
To ensure that we process your personal information fairly and lawfully we are required to inform you about:
• Why we need your data
• How it will be used
• Who it will be shared with
• What rights you have in relation to the personal data we collect from you.
Within this policy we describe instances where Horder Healthcare is the “Data Controller” (the organisation which decides what information we collect and how it is used), and where we direct or commission the processing of data to help deliver better healthcare, or to assist the management of healthcare services.
There may be situations where Horder Healthcare processes personal data on the instructions of another organisation (i.e. when Horder Healthcare is acting as a “data processor”), but in those circumstances our use of data would be governed by that organisation.
At Horder Healthcare we recognise the importance of protecting personal and confidential information in all that we do, all we direct or commission, and ensure that we meet our legal duties.
3. What information do we collect about you?
We only collect and use your personal information according to the legal bases defined in the GDPR and for the lawful purposes of administering the business of Horder Healthcare. The legal bases are as follows:
- Consent – where you have given your specific consent to the processing of your personal data.
- Performance of a contract – where the processing of your data is necessary for the fulfilment of a contract, for example, e-referrals for NHS patients are subject to a contract.
- Compliance with a legal obligation – processing of your data is necessary by law and Horder Healthcare is required to comply.
- In the vital interest – we may process your personal data in order to protect your vital interests, for example in providing emergency treatment or care should it be required.
- Public interest – we may process personal data in order to complete a task carried out in the public interest.
- Legitimate interest – we may process your personal data where we have a legitimate “business” interest in processing that information.
The table below shows the purposes and the associated legal basis under which we process your personal data:
|Reason for processing||Legal basis for processing|
|Accounting and auditing||
|Advertising and public relations||
|Conducting analysis and research activities||
|Consultancy and advisory services||
|Directing Horder Healthcare activities||
|Education and training for staff members||
|Employment and staff administration||
|Healthcare administration and services||
|Invitation to meetings and other events||
|Medical records management||
|Management of donations and fundraising activities||
|Third party delivery of services||
Please note that should your relationship with Horder Healthcare change, the legal basis under which we hold your data may also change.
4. What types of personal data do we handle?
We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts, promote our services and to support and manage our employees. We also process personal information about healthcare professionals that deliver services within Horder Healthcare.
The types of personal information we use:
|Type of personal information||Individual group the information may apply to|
|Personal identity - title, name, marital status, date of birth, National Insurance number, NHS number||
|Contact details - addresses, landline telephone & mobile numbers, email address||
|Family details – next of kin names, addresses and telephone numbers, relationships to next of kin||
|Financial details – such as bank sort code/account number, payment card number||
|Employment details – such as salary, annual leave, pension, benefits, discipline and grievance, payroll, tax information, performance data, occupational health data and security clearance data||
|Education and training such as training records, qualification verification, employment history and CVs||
|Details held in the patient’s record, where we hold or manage the patient’s record, such as NHS number, GP details||
|Lifestyle and social circumstances such as questions about smoking, drinking and general lifestyle||
|Responses to surveys where individuals have responded to surveys||
|Directorship/membership of other organisations or similar information in order to determine any conflicts of interest||
|Fit and proper persons declarations||
We also process special categories of information for patients, staff, students, trustees, members of the charity and consultants, which may include:
- Racial and ethnic origin
- Religious or philosophical beliefs
- Trade union membership
- Data concerning health
- Genetic data
- Biometric data
- Data concerning a person’s sexual orientation
- Offences (including alleged offences), criminal proceedings, outcomes and sentences
- Employment tribunal applications
- Complaints, accidents, and incident details
- Health data (including morbidity and disability)
5. How will we use information about you?
Your information is used to ensure the delivery and improvement of our services.
5.1. For our patients, your data may be used to:
- Manage our relationship with you
- Register all patients onto our Patient Administration System
- Register new referrals for existing patients on our systems, update demographic details and health records with new referral details
- Record telephone calls made to the appointments department in relation to appointment enquiries
- Allow the preparation of health record folder (notes)
- Investigate complaints, legal claims or serious incidents
- Make sure services are planned to meet patients’ needs in the future
- Check and report on how effective Horder Healthcare and the services it provides has been
- Display patients’ names and the consultant they are visiting on LCD TV screens within outpatient and reception waiting areas
- Display patients’ names on the whiteboard in nurse stations within the Inpatient Wards
- Create operation notes and letters for communicating outcomes with patients’ GPs
- Ensure correct patient information at all times by using their name on identity bracelets, if patients are admitted for surgery
- Order medical devices, such as hip and knee prosthetics for surgical procedures
- Process anonymised statistical information on hospital performance
- Address customer service enquiries made via the website
Patient Administration Systems
Horder Healthcare is the data controller for our electronic Patient Administration Systems. These systems hold personal details of all patients that have been referred via:
- the NHS e-Referral system (for NHS patients)
- Secure email (such as NHS.net account used by General Practitioners or encrypted email if the patient was referred privately)
- By secure fax (Safe haven)
The information held on these systems is used primarily for the purpose of administering healthcare services; it may however be used for other non-health related purposes and shared with statutory
bodies/organisations to enable them to fulfil their statutory obligations. ‘Non-health related purposes’ relate to processing such as contracted reporting to the Private Hospitals Information Network (PHIN) using pseudonymised data. We may also use the information within the administration system for statistical analysis to see how the organisation is performing with respect to business targets and objectives and quality of care.
The information will only be shared with other organisations where there is a statutory or contractual obligation to do so, or with the agreement of the Horder Healthcare Caldicott Guardian and the Information Governance Officer. A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing.
We may keep your information in a written form or on a computer. Whenever possible all information that identifies you will be removed.
5.2. For our staff, students, recruitment candidates, contractors/ agency staff, consultants and suppliers, your personal data may be used to:
- Manage our relationship with you
- Fulfil our duty of care towards staff in the event of a major incident (e.g. in the event of a lockdown, Fire)
- Verify employment history, qualifications and experience
- Validate ‘right to work’
- Assess suitability for employment during selection process
- Undertake personal development of employees
- Deliver payroll for employees
- Fulfil our duties in respect of national insurance and tax accounting
- Manage disciplinary and grievances
- Undertake due diligence and risk assessment of supply chain
- To communicate with you in the event of a major incident (e.g. in the event of a lockdown, Fire)
5.3. For our trustees, members of the charity, subscribers and fundraising donors, your personal data may be used to:
- Manage our relationship with you
- Invite you to attend meetings and events that may interest you
- Send you our newsletters
- Keep you updated about our performance
6. Sharing Your Information
We may disclose your personal information for a number of reasons (to the extent necessary). This can be due to:
- Our obligation to comply with current UK legislation
- Our duty to comply with a court order
- A contractual commitment to report statutory information
- You having provided us with your consent to the disclosure of your data
- Where we are required to do so by law
- The sharing of your data will ultimately benefit you as the data subject
- Our obligation to comply with our regulators
In fulfilling our obligation to provide services (healthcare and other services) we may share your data with the following:
- National Health Service (NHS) organisations
- Referral Services
- General Practitioners (your Doctor)
- Imaging Exchange Portal (a web-based portal used to allow sharing of scan images between healthcare trusts/organisations)
- Specialist consultants (medical and non-medical)
- National Joint Registry (for bone donation)
- Public Health England (PHE)
- Contracted third parties providing services or devices, medical and non-medical
- Healthcare insurance providers
- Pathology laboratories
- Occupational Health services (staff)
- Companies House
- The Charity Commission
- Health & Safety Executive (HSE)
- National registries (i.e. Breast registry, Spinal registry, Joint registry) with patients consent.
- Private Healthcare Information Network (PHIN)
- Communication Service (Text alert)
- Payroll Service
7. Sharing your Information outside of the European Economic Area (EEA)
We may from time to time be required to share your information with other service providers who are outside the UK and the EU. The sharing of your information with these providers is necessary in order to provide the necessary medical device or service. The transfer of personal data internationally will be conducted with the appropriate legal mechanisms in place.
8. How long will we keep your data for?
We will keep your personal information in accordance with our Information Retention Policy and for only as long as is lawfully necessary to conduct our business with you, and/or in accordance with our legal obligations for data retention.
9. Your rights
GDPR gives a number of rights over your data, subject to certain criteria being met. These are:
- Right of access to your personal information and supplementary information (for example your medical record). Once we have received your request we will respond within 30 days. This information will be sent to you free of charge.
- Right to rectify/amend your personal information if it is incorrectly recorded. You have the right to question any information we hold about you that you think is wrong, out of date or incomplete. If you do, we will take reasonable steps to check its accuracy and correct it.
- Right to object and Right to be forgotten
You have the right to object to our use of your personal information, or to ask us to delete, remove or stop using your personal information if it is no longer needed for the purpose it was collected or otherwise processed. This is known as the ‘right to erasure’ or ‘right to be forgotten’.
- Right to restrict the use of your personal information if:
- It is not accurate;
- It has been used unlawfully but you do not want us to delete it;
- It is not relevant any more, but you want us to keep it for use in legal claims; or
- You have already asked us to stop using your personal information but you are waiting for us to assess your request and confirm whether we are permitted to continue using the personal information under data protection law.
Right to obtain your personal information in a portable format
You have the right to get copies of your personal information from us in a format that can be easily re-used. You can also ask us to pass on your personal information to other organisations.
10. Freedom of information
Horder Healthcare is not a public authority and is not governed by the Freedom of Information Act.
11. Changes to this policy
12. Contact Us
13. Your right to complain
If you are not satisfied with our response or the way we are processing your personal information you can contact the Information Commissioner’s Officer (also known as the ICO) at www.ico.org.uk. The ICO is the statutory body which oversees data protection law in the UK.